Back to skill
Skillv1.2.0
VirusTotal security
Fleet Communication System · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:45 AM
- Hash
- 57aac95674b27c27bc9b60325e60647d1fba9ce9517fa7f3081e8d317580a78c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: fleet-comm Version: 1.2.0 The skill is classified as suspicious due to multiple critical vulnerabilities. The `fleet_bus.js` component is susceptible to Cross-Site Scripting (XSS) in its web dashboard, as message content is rendered without sanitization. More critically, the bus lacks any authentication or authorization, allowing any client to send, read, or broadcast messages for any node, and register new nodes, leading to unauthorized access and message manipulation. Furthermore, the `SKILL.md` instructions, when executed by an AI agent, pose a prompt injection risk: if the agent does not properly sanitize user-provided messages before executing `fleet_cli.js` commands, it could lead to shell injection and remote code execution on the agent's host.
- External report
- View on VirusTotal